[openstack-dev] [keystone] Inherited domain roles
David Chadwick
d.w.chadwick at kent.ac.uk
Fri Jun 7 08:17:10 UTC 2013
Hi Arvind
On 06/06/2013 23:02, Tiwari, Arvind wrote:
> Hi Henry,
>
> I am totally agree with David Chadwick that roleDefs itself should have
> enough info so that underline system (role assignment) can make some
> decision whether roleDef is inheritable or not. Below is my proposal
> which is extensible and pretty much aligned with David’s thoughts.
>
Before diving into the implementation details, perhaps we should agree
which types of inheritance should be supported. Lets try to list all of
the inheritance possibilities, and then decide which should be supported
(or not).
1. A global role definition which can be inherited by all domains as and
when they are created.
2. A domain defined role which can be inherited by all projects in the
domain as and when they are created.
3. A project defined role which can be inherited by all users of the
project (this is the traditional inheritance in the hierarchical RBAC
model, but I dont think Keystone supports hierarchical RBAC does it?).
4. A global role definition inherited by a domain that can be inherited
by all projects in the domain
5. A global role definition inherited by a domain and by a project in
the domain that can be inherited by users of the project
6. A domain defined role inherited by a project in the domain that can
be inherited by users of the project
Next we have to decide if an inheritable role can be partially inherited
or not. By partial inheritance, I mean that only a subset of the
subordinates can inherit the role definition, as opposed to the complete
set of all subordinates e.g. if a global role is specified to be
inheritable, does this mean that all domains will automatically inherit
it, or should there be a mechanism to specify which domains can inherit
it. This can get messy, because now you need to decide whether partial
inheritance is based on a white list or a black list, meaning either
only those subordinates that are listed can inherit the definition, or
all subordinates which are not listed can inherit the definition.
My preference would be to only support full inheritance in the first
instance, unless someone has a good argument to make for partial inheritance
regards
David
More information about the OpenStack-dev
mailing list